From 84ebef8c71a355ed5efeb6315a189c812f8bd06d Mon Sep 17 00:00:00 2001
From: evazion <noizave@gmail.com>
Date: Thu, 22 Sep 2022 00:57:17 -0500
Subject: [PATCH] controllers: return 400 instead of 403 for GET requests with
 body.

Fix for 3184e77de. Return 400 Bad Request instead of 403 Forbidden for
GET requests with a body.
---
 app/controllers/application_controller.rb      | 4 ++--
 test/functional/application_controller_test.rb | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index f1616817e..e68c60f3f 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -118,12 +118,12 @@ class ApplicationController < ActionController::Base
       render_error_page(500, exception, template: "static/search_timeout", message: "The database timed out running your query.")
     when ActionController::BadRequest
       render_error_page(400, exception, message: exception.message)
+    when RequestBodyNotAllowedError
+      render_error_page(400, exception, message: "Request body not allowed for #{request.method} request")
     when SessionLoader::AuthenticationFailure
       render_error_page(401, exception, message: exception.message, template: "sessions/new")
     when ActionController::InvalidAuthenticityToken, ActionController::UnpermittedParameters, ActionController::InvalidCrossOriginRequest, ActionController::Redirecting::UnsafeRedirectError
       render_error_page(403, exception, message: exception.message)
-    when RequestBodyNotAllowedError
-      render_error_page(403, exception, message: "Request body not allowed for #{request.method} request")
     when ActiveSupport::MessageVerifier::InvalidSignature, # raised by `find_signed!`
          User::PrivilegeError,
          Pundit::NotAuthorizedError
diff --git a/test/functional/application_controller_test.rb b/test/functional/application_controller_test.rb
index 799eb40e0..dfd57632a 100644
--- a/test/functional/application_controller_test.rb
+++ b/test/functional/application_controller_test.rb
@@ -10,10 +10,10 @@ class ApplicationControllerTest < ActionDispatch::IntegrationTest
       assert_response 406
     end
 
-    should "return 403 Bad Request for a GET request with a body" do
+    should "return 400 Bad Request for a GET request with a body" do
       get root_path, headers: { "Content-Type": "application/x-www-form-urlencoded", "Accept": "application/json" }, env: { RAW_POST_DATA: "tags=touhou" }
 
-      assert_response 403
+      assert_response 400
       assert_equal("ApplicationController::RequestBodyNotAllowedError", response.parsed_body["error"])
       assert_equal("Request body not allowed for GET request", response.parsed_body["message"])
     end